304 lines
9.0 KiB
YAML
304 lines
9.0 KiB
YAML
# -*- mode: yaml; indent-tabs-mode: nil; tab-width: 2; coding: utf-8-unix -*-
|
|
|
|
---
|
|
|
|
- name: "proxy whonix_host.yml"
|
|
debug:
|
|
verbosity: 1
|
|
msg: "proxy whonix_host.yml BOX_WHONIX_PROXY_HOST={{BOX_WHONIX_PROXY_HOST}}"
|
|
|
|
- name: chmod 664 /etc/libvirt/qemu/*xml
|
|
shell: |
|
|
chmod 664 /etc/libvirt/qemu/*xml || true
|
|
|
|
- name: /etc/libvirt/hooks/network
|
|
blockinfile:
|
|
dest: /etc/libvirt/hooks/network
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
|
|
mode: 0775
|
|
block: |
|
|
[ ! -f /usr/local/sbin/proxy_libvirt_hook_network.bash ] || \
|
|
/usr/local/sbin/proxy_libvirt_hook_network.bash
|
|
when: false # now in overlay
|
|
|
|
# FixMe: Whats the right consitonal for starting polipo
|
|
#- block:
|
|
|
|
# to be run on the host to use the gateway as our proxy using ports via iptables
|
|
# The proxy setup to be run are a way of centralizing tasks from other roles be run on the gateway.
|
|
|
|
- stat: path=/etc/polipo/config
|
|
register: polipo_conf
|
|
|
|
- name: PRIV_TOR_TYPE in ['client']
|
|
assert:
|
|
# drive from {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
|
|
that:
|
|
- "'{{PROXY_WHONIX_HTTPS_PORT}}' != ''"
|
|
- "'{{PROXY_WHONIX_SOCKS_PORT}}' != ''"
|
|
- "'{{PROXY_WHONIX_SOCKS_USER}}' != ''"
|
|
- "'{{PROXY_WHONIX_SOCKS_PASS}}' != ''"
|
|
- "'{{PROXY_WHONIX_DNS_PORT}}' != ''"
|
|
- "'{{PROXY_WHONIX_TRANS_PORT}}' != ''"
|
|
- "'{{PROXY_WHONIX_BUKU_PORT}}' != ''"
|
|
|
|
- name: PRIV_TOR_TYPE in ['client']
|
|
set_fact:
|
|
# {{SOCKS_PROXYTYPE}}://{{SOCKS_PROXYHOST}}:{{SOCKS_PROXYPORT}}
|
|
PROXY_POLIPO_SOCKSHOST: "{{PROXY_WHONIX_SOCKS_HOST}}"
|
|
PROXY_POLIPO_SOCKSPORT: "{{PROXY_WHONIX_SOCKS_PORT}}"
|
|
PROXY_POLIPO_SOCKSUSER: "{{PROXY_WHONIX_SOCKS_USER}}"
|
|
PROXY_POLIPO_SOCKSPASS: "{{PROXY_WHONIX_SOCKS_PASS}}"
|
|
PROXY_POLIPO_SOCKSTYPE: "socks5"
|
|
PRIV_FIREWALL_SET: whonix
|
|
HARDEN_DNS_PORT: "{{PROXY_DNS_PORT}}"
|
|
when:
|
|
- BOX_WHONIX_PROXY_HOST != ""
|
|
|
|
- name: "/etc/modules-load.d/firewall.conf"
|
|
blockinfile:
|
|
dest: /etc/modules-load.d/firewall.conf
|
|
create: yes
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
|
|
block: |
|
|
ip_tables
|
|
ipt_REJECT
|
|
iptable_filter
|
|
iptable_nat
|
|
xt_LOG
|
|
xt_conntrack
|
|
xt_nat
|
|
xt_owner
|
|
xt_state
|
|
xt_tcpudp
|
|
nf_conntrack
|
|
nf_defrag_ipv4
|
|
# 5.15 nf_log_common
|
|
nf_log_ipv4
|
|
nf_nat
|
|
#5 nf_nat_ipv4
|
|
#5 nf_reject_ipv4
|
|
#5 x_tables
|
|
xt_MASQUERADE
|
|
nft_masq
|
|
iptable_mangle
|
|
bridge
|
|
|
|
- name: template /etc/firewall.conf
|
|
template:
|
|
force: no
|
|
src: "etc/firewall-tor_{{PRIV_FIREWALL_SET}}.conf"
|
|
dest: /etc/firewall.conf
|
|
|
|
- name: /etc/polipo/config
|
|
lineinfile:
|
|
dest: /etc/polipo/config
|
|
regexp: '^#* *{{item.name}}.*'
|
|
line: "{{item.name}}={{item.val}}"
|
|
state: present
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
mode: 0644
|
|
create: yes
|
|
with_items:
|
|
- { name: daemonise, val: false }
|
|
- { name: diskCacheRoot, val: "" }
|
|
- { name: disableLocalInterface, val: true }
|
|
- { name: proxyAddress, val: 127.0.0.1 }
|
|
- { name: proxyName, val: 127.0.0.1 }
|
|
- { name: proxyPort, val: "{{ PROXY_POLIPO_PROXYPORT }}" }
|
|
- { name: allowedClients, val: 127.0.0.1 }
|
|
- { name: socksParentProxy, val: "{{PROXY_POLIPO_SOCKSHOST}}:{{PROXY_POLIPO_SOCKSPORT}}" }
|
|
- { name: socksProxyType, val: "{{PROXY_POLIPO_SOCKSTYPE}}" }
|
|
# - { name: socksUserName, val: "foo" } # not Debian - unenforced?
|
|
- { name: disableVia, val: true }
|
|
# can be a directory
|
|
- { name: forbiddenFile, val: /etc/polipo/forbidden }
|
|
# maybe the same directory forbids the same tunnelling
|
|
- { name: forbiddenTunnelsFile, val: /etc/polipo/forbidden }
|
|
- { name: allowedPorts, val: 1-65535 }
|
|
- { name: tunnelAllowedPorts, val: 1-65535 }
|
|
- { name: logFile, val: "{{ PROXY_POLIPO_LOG }}" }
|
|
- { name: logSyslog, val: false }
|
|
- { name: logLevel, val: 455 }
|
|
# logLevel=0x107
|
|
when:
|
|
- not ansible_check_mode
|
|
- polipo_conf.stat.exists == true
|
|
|
|
# FixMe: make logLevel high but make the log file root readable only
|
|
- name: chmod /var/log/polipo.log
|
|
file:
|
|
state: file
|
|
path: "{{ PROXY_POLIPO_LOG }}"
|
|
mode: 0640
|
|
owner: "{{ PROXY_POLIPO_OWNER }}"
|
|
group: "{{ PROXY_POLIPO_GROUP }}"
|
|
when:
|
|
- not ansible_check_mode
|
|
# FixMe: may not have been started
|
|
ignore_errors: true
|
|
|
|
#- name: virsh list
|
|
# command: virsh list
|
|
# register: virsh_list
|
|
# when:
|
|
# - ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
|
|
|
|
- block:
|
|
|
|
- name: polipo Whonix-Gateway
|
|
shell: |
|
|
ifconfig | grep virbr || exit 0
|
|
# FixMe: which is gateway
|
|
grep '^allowedClients=.*/' /etc/polipo/config && \
|
|
sed -e 's/allowedClients=.*/allowedClients=127.0.0.1/' -i /etc/polipo/config || \
|
|
echo 'allowedClients=127.0.0.1' >> /etc/polipo/config
|
|
|
|
ifconfig | grep br | grep inet | while read inet ip rest ; do
|
|
sed -e "s/allowedClients=.*/&,$ip/" -i /etc/polipo/config
|
|
done
|
|
. /usr/local/etc/local.d/local.bash
|
|
proxy_rc_service polipo restart
|
|
|
|
when:
|
|
- false
|
|
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
|
|
# was in hostvms libvirt.yml
|
|
- block:
|
|
|
|
- name: /etc/libvirt/hooks/network
|
|
lineinfile:
|
|
path: "/etc/libvirt/hooks/network"
|
|
create: yes
|
|
mode: 0775
|
|
insertafter: BOF
|
|
line: "#!/bin/sh"
|
|
regexp: "#./bin/sh"
|
|
when: false # now in overlay
|
|
|
|
- name: /usr/local/bin/proxy_libvirt_hook_network.bash
|
|
blockinfile:
|
|
dest: /etc/libvirt/hooks/network
|
|
marker: "# {mark} ANSIBLE MANAGED BLOCK proxy whonix_host.yml"
|
|
mode: 0775
|
|
block: |
|
|
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
|
|
|
|
# hung processes will hang virsh list
|
|
[ ! -x /usr/local/bin/proxy_libvirt_hook_network.bash ] || \
|
|
timeout --kill-after=10 10 /usr/local/bin/proxy_libvirt_hook_network.bash $*
|
|
[ $? -ne 0 ] && \
|
|
logger $0 WARN: /usr/local/bin/proxy_libvirt_hook_network.bash retval=$?
|
|
exit 0
|
|
when: false # now in overlay
|
|
|
|
- name: proxy_libvirt_no_autostart
|
|
shell: |
|
|
/usr/local/bin/proxy_ping_lib.bash proxy_libvirt_no_autostart
|
|
|
|
- name: /etc/init.d/libvirtd
|
|
shell: |
|
|
# now moved to /usr/local/bin/proxy_hourly.bash
|
|
[ ! -f /usr/local/bin/proxy_hourly.bash ] || /usr/local/bin/proxy_hourly.bash
|
|
exit 0
|
|
when: false
|
|
|
|
- name: "/etc/conf.d/libvirtd"
|
|
lineinfile:
|
|
dest: "/etc/{{ETC_CONF_D}}/libvirtd"
|
|
insertbefore: BOF
|
|
mode: 0755
|
|
owner: "{{BOX_ROOT_USER}}"
|
|
group: "{{BOX_ROOT_GROUP}}"
|
|
create: yes
|
|
regexp: "^rc_need"
|
|
line: "#rc_need"
|
|
|
|
when:
|
|
- ansible_virtualization_role|replace('NA', 'host') == 'host'
|
|
- ansible_connection|default('') not in PLAY_CHROOT_CONNECTIONS
|
|
- "'libvirt' in BOX_HOSTVMS_FEATURES or BOX_WHONIX_PROXY_HOST != ''"
|
|
|
|
- block:
|
|
|
|
- name: /etc/rc.local
|
|
shell: |
|
|
[ -f /etc/rc.local ] && exit 0
|
|
cp -p /usr/local/etc/local.d/Whonix-Host.local /etc/rc.local
|
|
when:
|
|
- BOX_OS_FLAVOR|default('') == 'KickSecure'
|
|
|
|
- name: /usr/local/src/secbrowser.bash
|
|
shell: |
|
|
[ -f /usr/local/src/secbrowser.bash ] && exit 0
|
|
/usr/local/local/src/secbrowser.bash
|
|
when:
|
|
- BOX_OS_FLAVOR|default('') == 'KickSecure'
|
|
when:
|
|
- "ansible_virtualization_role|replace('NA', 'host') == 'host'"
|
|
|
|
- block:
|
|
|
|
- name: /run/tmp
|
|
shell: |
|
|
[ -d /run/tmp ] && exit 0
|
|
mkdir /run/tmp
|
|
chmod 1777 /run/tmp
|
|
# lib64 is not being made
|
|
mkdir -p /usr/local/lib/python3.11/site-packages \
|
|
/usr/local/lib64/python3.11/site-packages
|
|
when:
|
|
- external_out.rc|default(1) == 0
|
|
- external_out.stdout|default('') != ''
|
|
|
|
- name: proxy_libvirt_forward.bash
|
|
shell: |
|
|
ps ax | grep proxy_libvirt_forward.bash && exit 0
|
|
proxy_libvirt_forward.bash
|
|
when:
|
|
- external_out.rc|default(1) == 0
|
|
- external_out.stdout|default('') != ''
|
|
# box mode is tor or
|
|
become: yes
|
|
become_user: "{{ BOX_USER_NAME }}"
|
|
|
|
when:
|
|
- ansible_connection|default('') in ['libvirt_qemu']
|
|
|
|
- name: /etc/rc.local
|
|
shell: |
|
|
[ -f /etc/rc.local ] && exit 0
|
|
cp -p /usr/local/etc/local.d/Whonix-Vda.local /etc/rc.local
|
|
when:
|
|
- proxy_vda_cmdline_fact|default(1) == 0
|
|
|
|
- name: /etc/rc.local
|
|
shell: |
|
|
[ -f /etc/rc.local ] && exit 0
|
|
cp -p /usr/local/etc/local.d/Whonix-Gateway.local /etc/rc.local
|
|
when:
|
|
- BOX_OS_FLAVOR|default('') == 'WhonixGateway'
|
|
|
|
- name: /etc/rc.local Workstation
|
|
shell: |
|
|
[ -f /etc/rc.local ] && exit 0
|
|
cp -p /usr/local/etc/local.d/Whonix-Workstation.local /etc/rc.local
|
|
when:
|
|
- BOX_OS_FLAVOR|default('') == 'WhonixWorkstation'
|
|
|
|
when:
|
|
- ansible_virtualization_role|replace('NA', 'host') == 'guest'
|
|
|
|
|
|
- block:
|
|
|
|
- name: /usr/local/src/secbrowser.bash
|
|
shell: |
|
|
[ -f /usr/local/src/secbrowser.bash ] && exit 0
|
|
/local/src/secbrowser.bash
|
|
|
|
when:
|
|
- BOX_OS_FLAVOR|default('') == 'KickSecure' or proxy_vda_cmdline_fact|default(1) == 0
|